* + mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move.patch added to mm-hotfixes-unstable branch
@ 2026-03-02 20:50 Andrew Morton
0 siblings, 0 replies; only message in thread
From: Andrew Morton @ 2026-03-02 20:50 UTC (permalink / raw)
To: mm-commits, ziy, willy, surenb, stable, ryan.roberts, rppt,
npache, liam.howlett, lance.yang, dev.jain, david, baolin.wang,
baohua, lorenzo.stoakes, akpm
The patch titled
Subject: mm/huge_memory: fix memory corruption on huge zero page move
has been added to the -mm mm-hotfixes-unstable branch. Its filename is
mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move.patch
This patch will shortly appear at
https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move.patch
This patch will later appear in the mm-hotfixes-unstable branch at
git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next via various
branches at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
and is updated there most days
------------------------------------------------------
From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Subject: mm/huge_memory: fix memory corruption on huge zero page move
Date: Mon, 2 Mar 2026 17:06:19 +0000
In commit eb1521dad8f3 ("userfaultfd: handle zeropage moves by
UFFDIO_MOVE"), handling was added to enable the moving of huge zero pages
in move_pages_huge_pmd().
This achieves this by setting src_folio to NULL, and adding subsequent
checks for src_folio being NULL to determine whether to perform the usual
move operations or to simply establish the huge zero page in the
destination.
As part of this change, when installing the destination huge zero page it
invoked mk_huge_pmd() on src_page, correctly.
However, commit e3981db444a0 ("mm: add folio_mk_pmd()") updated the code
in the huge zero page branch from mk_huge_pmd(src_page, ...) to
folio_mk_pmd(src_folio, ...), where src_folio is guaranteed to be NULL at
this point.
This resulted in an invocation of folio_mk_pmd(NULL, ...) in effect, which
causes an invocation of page_to_pfn(0) and results in the installation of
a corrupted PMD entry and undefined behaviour.
This patch fixes the issue by obtaining the zero folio via
page_folio(src_page) and feeding this into folio_mk_pmd(). This retains
the use of folio_mk_pmd() whilst avoiding the memory corruption.
Additionally, this code path was not updated to reflect the changes
introduced by commit d82d09e48219 ("mm/huge_memory: mark PMD mappings of
the huge zero folio special"), meaning a zero huge folio was installed but
not marked special in this case.
This patch additionally fixes that issue by invoking pmd_mkspecial().
With thanks to Chris Down who exposed this bug by adding an explicit test
for UFFDIO_MOVE in commit f07254dce67d ("selftests/mm: add UFFDIO_MOVE
huge zeropage PMD regression test").
Link: https://lkml.kernel.org/r/20260302170619.867056-1-lorenzo.stoakes@oracle.com
Fixes: e3981db444a0 ("mm: add folio_mk_pmd()")
Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
Cc: Barry Song <baohua@kernel.org>
Cc: David Hildenbrand <david@kernel.org>
Cc: Dev Jain <dev.jain@arm.com>
Cc: Lance Yang <lance.yang@linux.dev>
Cc: Liam Howlett <liam.howlett@oracle.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Nico Pache <npache@redhat.com>
Cc: Ryan Roberts <ryan.roberts@arm.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Zi Yan <ziy@nvidia.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
mm/huge_memory.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/mm/huge_memory.c~mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move
+++ a/mm/huge_memory.c
@@ -2796,8 +2796,12 @@ int move_pages_huge_pmd(struct mm_struct
/* Follow mremap() behavior and treat the entry dirty after the move */
_dst_pmd = pmd_mkwrite(pmd_mkdirty(_dst_pmd), dst_vma);
} else {
+ struct folio *zero_folio = page_folio(src_page);
+
+ VM_WARN_ON_ONCE_FOLIO(!is_huge_zero_folio(zero_folio), zero_folio);
src_pmdval = pmdp_huge_clear_flush(src_vma, src_addr, src_pmd);
- _dst_pmd = folio_mk_pmd(src_folio, dst_vma->vm_page_prot);
+ _dst_pmd = folio_mk_pmd(zero_folio, dst_vma->vm_page_prot);
+ _dst_pmd = pmd_mkspecial(_dst_pmd);
}
set_pmd_at(mm, dst_addr, dst_pmd, _dst_pmd);
_
Patches currently in -mm which might be from lorenzo.stoakes@oracle.com are
mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-02 20:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-02 20:50 + mm-huge_memory-fix-memory-corruption-on-huge-zero-page-move.patch added to mm-hotfixes-unstable branch Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox